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Abstract 

Sequence generators obtained by linear recursions over the two-element 
field F 2 are widely used as pseudorandom number generators. For example, 
the Mersenne Twister MT19937 is one of the most successful applications. 
An advantage of such generators is that we can assess them by using theoret- 
ical criteria, such as the dimension of equidistribution with v-hit accuracy. 
To compute these dimensions, several lattice reduction methods have been 
proposed. 

In this paper, we focus on the relationship between points in the Couture- 
L'Ecuyer dual lattices and F 2 -linear relations on the most significant v bits 
of output sequences, and consider a new figure of merit N v based on the min- 
imum weight of F2-linear relations whose degrees are minimal for v. Next, 
we apply the figure of merit to the Mersenne Twister MT19937. Our ex- 
perimental results show that MT 19937 has low- weight F2-linear relations in 
dimensions higher than 623, and that some output vectors with specific lags 
are rejected or have small p-values in the birthday spacings tests. We also 
report that some variants of Mersenne Twister, such as WELL generators, 
are significantly improved from the perspective of N v . 
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1. Introduction 



The Mersenne Twister MT19937 is a pseudorandom number generator 



developed by Matsumoto and Nishimura [26(. This generator has the follow- 
ing advantages: (i) Its generation speed is very fast; (ii) it has a large period 
of 2 19937 — 1; (iii) it has high-dimensional equidistribution property (i.e., 623- 
dimensionally equidistributed). Thus, MT19937 is currently one of the most 
widely used pseudorandom number generators in Monte Carlo simulations. 
For example, it is the default generator for a recent version of R (see (35[), it 
is presented in the GNU Scientific Library, and it is implemented in a large 
number of programming languages. 

The algorithm of the Mersenne Twister is based on the following linear 
recurrence over the two-element field F 2 := {0, 1}: 

:= m i+n2 _ ni © A(m™~ r Ji<_ ni+1 ) (i = 0, 1, 2, . . .), (1) 

where nij G FJf is a to-bit vector (w indicates the word size of machines), ri\ 
is the degree of recurrence, n 2 is an integer with 1 < n% < ni, © denotes 
the component-wise addition modulo 2 (i.e., bitwise exclusive-or in the com- 
puter terminology), A is a suitable w xw matrix with elements in F2, r is an 
integer with < r < w — 1, is the upper w — r coordinates of nij_ ni , 

m[_ ni+1 is the lower r coordinates of nij_ ni+ i, and (mfSZ jjm£_ ni+1 ) G F™ 
denotes a vector that is the concatenation of and m[_ n +1 . We set 

m_!, m_ 2 , . . . , nij_ ni as initial seeds. Furthermore, in order to improve the 
high- dimensional equidistribution property, we execute a linear output trans- 
formation by multiplying a suitable w x w invertible matrix T: 

Yi := Tirii, (2) 



which is said to be the tempering proposed by Matsumoto and Kurita [2j 
Throughout this paper, we identify a w-dimensional vector = t (yi,o, ■ ■ ■ , Ui, w - 
with an unsigned to-bit binary integer (* denotes the transpose of a vector), 
and a binary expansion m := Y^i=xVi,l-'$' as a rea l number in the interval 
[0, 1). The output sequence is supposed to imitate independent random 
variables that are uniformly distributed over [0, 1). The Mersenne Twister 
MT19937 has the parameter set (w, n\, r) = (32, 624, 397, 31) and selected 
matrices A and T, which can be computed rapidly. As a result, we have a 
maximal period of 2 19937 — 1 (i.e., 2 niw ~ r — 1), which is a Mersenne prime. 

Here, the following two quality criteria for linear pseudorandom number 
generators over F 2 (so-called ¥ 2 -linear generators) are well-known: (i) the 
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dimension of equidistribution with v-bit accuracy k(v) for each v (1 < v < w) 
and (ii) the number N% of nonzero terms in a characteristic polynomial. From 
this perspective, MT19937 was considered to be much superior to all other 
classical generators when it appeared approximately 15 years ago, and it has 
since become widely used as the most innovative generator. 

However, it may not be sufficient for assessing the quality of generators 
using only the above two criteria. In this paper, we develop a new figure 
of merit N v based on the minimum number of nonzero terms of F2-linear 
relations whose degrees are minimal for the most significant v bits given. 
The value N v can be considered as a quality criteria in dimensions higher 
than k(v) and as a multi-dimensional generalization of N\. We assess the 
Mersenne Twister MT19937 and its variants in terms of iV„'s, and show 



that NyS of MT19937 are small, relative to the WELL generators [341 . We 



also report that MT19937 has some deviations in the birthday spacings test 



221 . 1 111 . I14L |15| for non- successive output values, which are probably because 
of the existence of low-weight F 2 -linear relations. 

The rest of this paper is organized as follows. In Section [21 we recall a 
framework of F 2 -linear generators. In Section [21 we explain the terminolo- 
gies of k{v) and N\. In Section [U to use later sections, we briefly survey 
the Couture-L'Eucyuer dual lattice method for computing k(v). In Sec- 
tion [51 we show the relationship between F 2 -linear relations and points in the 
Couture-L'Ecuyer dual lattices, define a new figure of merit N v , and give an 
algorithm for computing N v using Gray codes. In Section El we analyze the 
Mersenne Twister MT19937 in terms of both N v J s and F2-linear relations. In 
Section [71 we report some deviations of MT19937 in birthday spacings tests 
with selected lags. Section [8] is devoted to the analysis of other F 2 -linear gen- 
erators, such as the WELL generators. We also introduce a new tempering 
parameter of MT19937 in order to optimize k(v ) as an improvement of the 
author's previous work [3| . Our conclusions are presented in Section [9j 

2. F 2 -linear generators 

Mersenne Twister generators belong to a general class of pseudorandom 
number generators based on the following matrix recurrences over F 2 : 

X; := AX;_i, (3) 

y* := Bxi, (4) 
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1 yi,w—ii 



(5) 



1=1 



where Xj = t (xi ) o, . . . ,Xi jP -i) G F 2 is the p-bit state vector at step i; y^ = 
'(y^o, • • • , Vi,w-i) ^ F w is the w-bit output vector at step i; p and to are 
positive integers, A is a p x p transition matrix with elements in F 2 , and B is 
a w x p output transformation matrix with elements in F 2 . The real number 
Ui G [0, 1) is the output at step i. All operations in (J3J) and (jlj) are performed 
in F 2 , i.e., modulo 2. This framework is said to be the ¥ 2 -linear generator. 
Refer to [3, for details. 

Let P(z) := det(Iz — A) be the characteristic polynomial of A. The 
recurrence ((3]) has the period length 2 P — 1 (its maximal possible value) if 
and only if P{z) is a primitive polynomial modulo 2 (see 3C| When this 
maximum is reached, we say that the F2-linear generator has the maximal 
period. For simplicity, we assume the maximal-period condition throughout 
this paper. 



From Section 2.3.5 in 33(, the Mersenne Twister ([T]) fits the above frame- 
work by the transition matrix 



A 



S \ 



I, 



V 



A 




I, 







(6) 



/ 



where l w , I r , l w - r are the identity matrices of size w,r,w — r, respectively, 

, so that p = riiw — r. 



tit 



rrii, mi i..., m, ni+2 , m 



i— ni +1, 



111 



and Xj 

(Note that MT19937 has p = 19937.) For the tempering in 02]), the matrix 
B is the representation matrix of the following transformation: 



z ^— trunc^(xj) 



(7) 
(8) 



where " represents the assignment statement, and trunc w (xj) denotes the 
vector t {xi , . . . , Xj which is formed by leading w coordinates of x i; 



3. Quality criteria 



Following 13| , we recall figures of merit for F 2 -linear generators. 
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A primary requirement for long-period F 2 -linear pseudorandom number 
generators is that fc-dimensional vectors (Ui,u i+ i, . . . ,u i+ k-i) are uniformly 
distributed over the unit hypercube [0, l) k for large k. From this viewpoint, 
we often use the terminology of the dimension of equidistribution with v-bit 
accuracy. Let be the multiset of fc-dimensional vectors, from all possible 
initial states x : 

V k := {(u , • • • , | x G ¥ p 2 } C [0, l) k . (9) 

Let us equate each axis [0, 1) into 2 V pieces. Then, [0, l) fc is divided into 2 kv 
cubic cells of equal size. The generator is said to be k-dimensionally equidis- 
tributed with v-bit accuracy if each cell contains exactly the same number 
of points of i.e., 2 p ~ kv points. The largest value of k with this prop- 
erty is called the dimension of equidistribution with v-bit accuracy, denoted 
by k(v). As a criterion of uniformity, larger k(v) for each 1 < v < w is 
desirable (see j39[). We have a trivial upper bound k{y) < [p/v\. The 
gap d{v) := \_p/v\ — k{y) is called the dimension defect at v, and their sum 
A : = J2v=i(\j ) / V \ ~ k( v )) i s ca hed the total dimension defect. If A = 0, 
the generator is said to be maximally equidistributed. Note that MT19937 
has A = 6750, and k(v ) does not always attain the upper bound for each 
1 < v < w. 

As a secondary requirement, we may consider whether the number Aq of 
nonzero coefficients for a given characteristic polynomial P{z) is greater (see 
[H, Hlj]). Ideally, we desire that iVi is close to a half degree of P(z) (i.e., p/2). 



For example, according to [19|, |25|, |27J , generators for which P(z) is a trinomial 
or a pentanomial fail statistical tests, so we should avoid such generators. 
MT19937 has N% = 135 nonzero coefficients in P{z), whose number is much 



greater than three or five. Panneton, L'Ecuyer, and Matsumoto [34| noted 
that JVi of MT19937 is still smaller than p/2 and MT19937 has a long-lasting 
impact for a bad initial state (e.g., one that contains only a few bits set to 
1), when compared to their WELL generators, whose Aq's are almost p/2. 
Thus, Ni (or Ni/p) is also used as a figure of merit for F 2 -linear generators. 

The above figures of merit are commonly used. To investigate theoretical 
properties in more detail, we may consider a new criterion from another 
perspective. 
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4. Lattice structures 



We briefly recall a lattice method for computing k(v) in terms of the dual 
lattices 0, EH- Let K denote the formal power series field K := F 2 ((z -1 )) = 
{J2'Zi a i z ~ l I a i e F 2,^o e Z}. For a{z) = J2iLi a i z ~ l e ^3 we define a 
standard norm by 



\a(z)\ :-- 



max{— i eZ \ cii^O} if a(z) ^ 0, 
— oo if a(z) = 0. 



For a vector a(z) = 4 (00(2)3 a i( z )j • • • 3 a-u-i(<z)) £ K v , we define its norm (or 
its length) by ||a(^)|| := maxi<;< l) |a;_i(2;)|. 

A subset L C K v is said to be an ¥ 2 [z\-lattice if there exists a i^-linear 
basis {vi(2), v 2 (z), . . . , v v (z)} of IP such that L is their span over F 2 [£], i.e., 

L = (vi(z),v 2 (z), . . . ,V fl (*)) Fa [t]. 

Such a set of vectors is called a feasts of L. We recall the following theorem, 
which will be used later: 



Theorem 1 (|20l. l2lj]). Let V\(z), . . . , v v (z) be the points in an ¥ 2 [z] -lattice 
L C K v with the following properties: 

1. Vi(z) is a shortest nonzero vector in L; 

2. for I — 2, . . . , v, Vi(z) is a shortest vector among the set of vectors v(z) 
in L such thatvi(z), . . . ,vi-i(z),v(z) are linearly independent over K. 

Then Vi(z), . . . ,v v {z) form a basis of L. 

In the above theorem, such a basis is said to be a reduced basis of L. It is not 
unique, but the numbers v\ := 1 1 Vi(z) | | (I = 1, . . . , v) are uniquely determined 
by a given lattice L, and u%, . . . , u v are called the successive minima of L. 

Here, we consider an F 2 -linear generator. For a given nonzero initial state 
xo £ F 2 , we define the following formal power series G\-i(z) of Zth bits of the 
integer output (i.e., ?/o,i-i, 2/2,i-i, • • -) : 

00 

Gi-i(z) := Vi,l-iz~ i ~ 1 = yo,i-iZ~ 1 +yi,i-iZ~ 2 + V2,i-iZ~ 3 + ■ ■ ■ e F 2 ((^ 1 )). 

Note that G/_ 1(2) has a rational form Gi-i(z) = hi-i(t)/P(z), where hi-i(z) £ 
¥ 2 [z] and deg hi_i(z) < deg P(z). If P(z) is irreducible, let h^i^z) be a 
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polynomial that is a multiplicative inverse to h (z) modulo P(z). We set 
hi-i(z) := Hq 1 (z)hi-i(z) mod P(z) (2 < I < t>). We consider the following 
vectors 



w x (z) 
w 2 (z) 
w 3 (z) 



XPiz), 0,0,..., 0), 

*(-/n(^),l,0,...,0), 

'(-/i 2 (z),0,l,...,0), 



W„ [Z 



-K-Az) 



,0,0, 



and construct an F 2 [^-lattice £* := (wi(z), . . . ,w v (z))w 2 [z] C F^-z], which is 
said to be the Couture-L'Ecuyer dimZ lattice j^j. 



Theorem 2 (|2|]). We consider an¥2-linear generator started from a nonzero 
initial state vector. Assume that the characteristic polynomial P(z) of A is 
primitive. Then, k(v) = v\, where u* is the first successive minimum of ' £.*. 

We can obtain a reduced basis by using some polynomial-time lattice basis 
reduction algorithms (e.g., BH00). 



Remark 1. Recently, the author, Matsumoto, and Saito [10] proposed the 
SIS method for computing k(v), which is faster than the Couture-L'Ecuyer 
dual lattice one, and the author jsj] proposed the PIS method as an improve- 
ment over SIS. The new methods use the lattice points in the original lattices 
jsl, |38[ (not the dual lattices £*). As a classical result, it is also possible to 
compute k(v) by using linear algebra joj. The aim of this paper is to extract 
other information from £*. This is why we consider the Couture-L'Ecuyer 
dual lattice method. 



5. A new figure of merit for F 2 -linear generators 

Usually, when we assess an F 2 -linear generator, we only see the length 
of a shortest vector (i.e., k(v)) as the first filter, and abandon the other 
information. In this section, we focus on the polynomial elements of vectors in 
£*, and develop a new figure of merit N v as a quality criterion in dimensions 
that are higher than k(v) and as a multi-dimensional generalization of N x . 

First, we arrange the relationship between F 2 -linear relations appeared 
on the most significant v bits and points in £,*. The following proposition is 
obtained by a modification of Lemma 4.40 in (3ol |. 
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Proposition 3. There exists an ¥ 2 -linear relation 

v k— 1 

W hl-lVi+0,l^ = f° r al1 i - °> ( 10 ) 

i=l j=0 

«/ and only if t (w (z)), . . . , tu„_i(z)) G C* v , where Wi-i(z) := X)*=o w j-i~i z3 G 
F 2 [z]. 

Proof. We consider a linear combination 

G„(zH(z) + • • • + Gi-i(z)w i - 1 (z). (11) 

For z > 0, the coefficient of z~ l ~ l in fjTTj) is Xw=i Sj=o w j,l-iyi+j,i-ii so that 
the coefficients of the negative power are all zero if and only if ( TTUj) holds. 
Then, (fTTT) is a polynomial. On the other hand, (fTTj) is also described as 
(ho(z)wo(z) + • • • + h v _i(z)w v -\(z)) / P{z). Thus, (fTUI) is equivalent to 

ho(z)w (z) H h ^„_i(2;)w„_i(2;) = mod P{z). (12) 

Here, we assume (fTUjl . By multiplying (fr2|) by ft,Q (z), we have wo(-z) = 
— hi(z)wi(z) — • • • — /iy_i(2:)u>„_i(z) mod -P(z). In fTl2|) . each of polynomial 
solutions t (i0o(2 : ), • • • , w„_i(2:)) is written as — a(z)wi(z) + hi(z)w 2 (z) + • • • + 

h v -i(z)w v (z) = t {-a(z)P(z)-h l (z)wi(z) h„_i(z)u7 w _i(z), ^1(2;), . . . , 

for a suitable a(z) G F 2 [z]. Hence, t (wo(z), . . . , Wy_i(2:)) G £*. 

Conversely, it is easy to see that all of F 2 [z] -linear combinations of Wi(z), . . . , w„(z) 
satisfy ffl2l) . because Wi(z), . . . , w„_i(z) are solutions in ffl2l . respectively. 
Thus, the proposition follows. 

Using the above proposition, from vectors of £*, we obtain information 
on F2-linear relations in dimensions that are higher than k(v). In particular, 
a nonzero shortest vector of £* corresponds to a non-trivial F2-linear relation 

v k( v ) 

$Z w il-iVi+hi-^ = for a11 i ^ °' ( 13 ) 

1=1 j=0 

whose degree is minimal for the most significant v bits given. We call ( TIB"]) a 
minimal ^2-linear relation with v-bit accuracy. In general, such a minimal F 2 - 
linear relation is not unique, because a shortest vector is not unique. Further- 
more, we have no non-trivial F 2 -linear relation Ya=i X^=o w j,i-iyi+j,i-i = 
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for k < k(v). All of the minimal F 2 -linear relations with v-bit accuracy are 
included in all the vectors whose dimensions are higher than k(v), so that 
the (k(v) + l)-dimensional case appears to be the most important. 

Here, to assess the F2-linear generators, let us consider whether or not 
the minimal F2-linear relations have simple regularity. The simplest way of 
checking this is to enumerate the number of nonzero coefficients Wj,i-\ in (|13p . 
We call this the weight. When there exist low-weight F 2 -linear relations, the 
generator may have risks in some situations (see Remark [2]). Therefore, we 
define the minimum weight N v by the lowest weight for all the minimal F 2 - 
linear relations with v-bit accuracy in (Tl3|) . and propose N v as a new figure 
of merit for F 2 Tinear generators. When v = 1, the minimal F 2 -linear relation 
( lT3"j) coincides with a characteristic polynomial P(z), so that N v equals the 
number Ni of nonzero coefficients of P(z). Hence, we can interpret N v as a 
mult i- dimensional generalization of N\. 

For practical use, we give an algorithm for computing N v as follows. Let 
{wi(z), . . . , w v (z)} be a reduced basis of £*. From the uniqueness of the 
successive minima, we have an integer v' G {1, . . . ,v} such that ||w 1 (z)|| = 
•■■ = ||w„/(z)|| < ||w t / +1 (2;)|| < ■■■ < ||w„(z)||. Then, all the shortest 
vectors are described by 

{ Cl W!(z) + ... + w(z) I *( Cl ,...,tv) eF^\*(0,...,0)}, (14) 

and they correspond to all the minimal F2-linear relations with v-bit accuracy. 
The number of the shortest vectors is 2 V — 1. Here, if we give coefficients 
Ci, . . . , c v > by v'-bit Gray code order, it is possible to obtain another shortest 
vector by executing the addition only once. In addition, if v' is small and p 
is not too large (e.g., v' < 32 and p < 19937), we can compute the minimum 
weight N v within a practical time period. 

Remark 2. We mention a strong relationship between our figure of merit 
N v and the weight discrepancy test proposed by Matsumoto and Nishimura 



27] . For simplicity, consider k successive output values with t>-bit accuracy, 
where k > k(v), and let $ be the map from the state vectors to m := v X k 
bits in the outputs: 

$ : Fl -> F™, x 1 y (trunc„(y ), trunc„(yi), . . . , trunc„(y fc _i)). (15) 

The map $ is F 2 -linear, so that the image C C F™ is a linear subspace. In 
coding theory, C is said to be a linear code. The dual code C of C is defined 
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by 

C ± := {c' G F™ | (c', c) = for all c G C}, 

where (c', c) = Y^lLi c i c i * s an inner product for c' = t (d L , . . . , c' m ) G F™ and 
c = *(ci, . . . , c m ) G F™. Note that C contains the set of F 2 -linear relations 
on m = k x v bits (see [271]). 

The weight discrepancy test is a theoretical test for estimating the de- 
viation of the number of l's on m — v x s bits in f jT5|) from the binomial 



distribution. Matsumoto and Nishimura [27j gave a formula for computing a 
risky sample size from a weight enumerator polynomial of C, which is com- 
puted via a weight enumerator polynomial of C 1 - with k being slightly greater 
than k(v), and via inversion by the MacWilliams identity. Their paper im- 
plies that if the minimum weight of vectors of C 1 - is more than 15 or 20, a 
given generator is safe, but if the weights are too low (e.g., < 6), there may 
be a possibility of detecting deviations. In fact, we can identify C 1 - with a 
set of all the vectors whose lengths are shorter than k, so that N v coincides 
with the minimum weight of vectors in C ± in the case where k = k(v) + 1. 
Thus, when N v is small, a given generator may have some risks. 

A drawback of N v is that we have to execute exhaustive searches, such as 
( I14p because the weight enumeration (or finding the minimum weight N v ) is 
NP-hard |!o[ . However, from the viewpoint of speed and memory efficiency, 
the use of the Couture-L'Ecuyer dual lattice method appears to be much 



superior to the use of the Gaussian elimination on a p x m matrix in [27 



when we construct a basis of C 1 - (as an F2-linear vector space) for a large p. 



6. F 2 -linear relations of Mersenne Twister MT19937 

In this section, we numerically analyze 32-bit Mersenne Twister MT19937 
(i.e., w = 32) in terms of the method in Section Tables [T] and |5]list the 
successive minima z/j", ■ ■ ■ , v* v of £*, the dimension defect d(v) at v, and 
our new figure of merit N v for each 1 < v < 32. From Theorem |2j note that 
v\ = k(v). As a result, iVVs for lower bits are small. 

To conduct statistical tests in the next section, we introduce the minimal 
F 2 -linear relations with 21-bit and 12-bit accuracy, for example. First, we 
analyze the minimal F2-linear relations with 21-bit accuracy. By checking 
all the nonzero shortest vectors in C^, we obtain the following low- weight 
F2-linear relations: the six-term linear relation 

Vi,l + Ui,W + Ui+396,2 + 2/i+396,17 + Z/i+623,2 + 2/i+623,17 = 0, 
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Table 1: The successive minima, d(v), and N v of MT19937. 
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the seven-term linear relations 



2/i,7 + 2/i,14 + 2/i,15 + 2/i+396,8 + +2/i+396,16 + Z/i+623,8 + Z/i+623,16 — 0, 

2/t,3 + Z/i+396,1 + +Z/i+396,4 + 2/i+396,19 + 2/i+623,l + l/i+623,4 + Z/j+623,19 = 0, 

J/i,2 + 2/t,9 + J/i,10 + !/t,17 + Vi,20 + J/t+396,11 + S/i+823,11 = °> 

and so on. In particular, all of the minimal F2-linear relations concentrate 
on the three non-successive output values {yi, yj+396, y«+623}- 

In addition to the above, we analyze the minimal F 2 -linear relations with 
12-bit accuracy. In this case, we have three minimal F 2 -linear relations, i.e., 
the five-term linear relation 

Vi,2 + l/i+792,4 + Z/i+792,11 + Z/i+1246,4 + Vi+IM6,U = 0, (16) 

and the 18-term and the 19-term linear relations. They appear only on the 
five non-successive output values {y i; y i+3 96, yi+623, yi+792, Yi+me}- 

Consequently, we aim to determine whether there are any observable 
deviations for such non-successive output values. 



Remark 3. Niederreiter [31l.l32| proposed the multiple-recursive matrix method 
as a general class of pseudorandom number generators. In this framework, 
we can describe Mersenne Twisters in (Tj[|) and (J2J) by the following matrix 
linear recurrence: 

y, = y l+n2 . ni + TA ( ° °J T-W-m + TA ( \ r ° ) T^-m- 
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Table 2: The successive minima, d(v), and N v of MT19937 (continued). 
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From a comparison of the lower r coordinates, it is easy to see that there 
exist F 2 -lmear relations among {y i; y i+n2 _ ni , y,_ ni }. The Couture-L'Ecuyer 
dual lattice method gives explicit F2-linear relations without direct matrix 
computations, and it is applicable not only for Mersenne Twisters defined by 
([I]) and (T5]) but also for general F 2 -linear generators. 



7. Birthday spacings tests for non-successive output values 



In this section, we report statistical tests for non-successive output values 
of MT19937. In particular, we conduct the birthday spacings test proposed 



by Marsagli a [22 
and Simard 



which was further studied by Knuth [Hi] and L'Ecuyer 



16, 12 for 



We consider a similar technique proposed in 
the detection of deviations of Deng and his co-authors' multiple recursive 
generators (e.g., jij). 



Following the notations of 14], we introduce the testing procedure. 



We fix two positive integers, n and t, and generate n "independent" points 
u , . . . , u n _i in the t-dimensional hypercube [0, 1)*. For the hypercube, we 
partition it into d l cubic boxes of equal size by dividing [0, 1) into d equal 
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segments. These boxes are numbered from to d l — 1 in lexicographic order, 
namely, the box with the lower left corner at (io/d, . . . , it-i/d) has the number 
c = iod*' 1 + iid 1 ^ 2 + ■ ■ ■ + Let Ji < J 2 < ■ • • < I n be the numbers of the 
boxes where these points have fallen, sorted by increasing order. Define the 
spacings Sj := Ij+i — Ij, for j = 1, . . . , n — 1. Let Y be the total number of 
collisions of these spacings, i.e., the number of values of j G {1, ■ ■ • , n— 2} such 
that Su+q = Su\, where S^, . . . , SVn-i) are the spacings sorted by increasing 
order. We can view each points u« as a "person" with a birthday Ii in a 
year having k days. We test the null hypothesis %q\ the PRNG produces 
i.i.d. U(0, 1) random variables. If rf* is large and A = n 3 /(4c? t ) is not too 
large, Y is approximately a Poisson distribution with mean A under "H ( see 
3.3.2-28-30 in n[). We generate independent iV replications of Y, and add 



them. We compute the p-value by using the sum, which is approximately a 
Poisson distribution with mean iVA, under H®. As a rule of thumb, the error 



of approximation is negligible when d l > (4iVA) 4 (see 14j). Our experiments 
satisfy this rule of thumb. If d = 2 V , note that the t-dimensional output with 
f-bit accuracy is tested. 

To extract non-successive output values, let us consider the t-dimensional 
output vectors constructed as 

Uj = (U(j t+1 ) i+ j 1 , . . . , U(j t+ iy i+ j t ), 

for i = 0, . . . , n — 1 with lags I = . . . , j t }. In our experiments, we use the 
birthday spacings tests implemented in the TestUOl package [l5j, which is a 
software library for statistical tests for pseudorandom number generators. 

First, we conduct experiments with the parameter set (N, n, d, t) = (5, 20000000, 2 21 , 3), 
which is just No. 12 of Crush in TestUOl. Then, the three-dimensional output 
with 21-bit accuracy is tested. As expected, for the points using successive 
output values (i.e., / = {0, 1, 2}) by MT19937, the result appears to be good 
(see (l5|). On th other hand, we construct the points with the lag based 
on I = {0,396,623}. The second row in Table |3] gives right p-values for 
five initial states, and all the p-values are < 10~ 15 . Thus, MT19937 with 
/ = {0, 396, 623} decisively fails the birthday spacings tests. This is prob- 
ably because there exist low- weight minimal F 2 -linear relations with 21-bit 
accuracy in Section [6j It takes approximately eight minutes on an Intel Core 
i7-3770 3.90 GHz computer (with the gcc compiler with a -03 optimization 
flag on a Linux operating system) for each test. 

Next, we conduct birthday spacings tests five times with the parameter 
set (N, n, d, t) = (5, 15000000, 2 12 , 5). Thus, the five-dimensional output with 
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12-bit accuracy is tested. The third row in Table [3] shows small deviations 
for the points with I = {0,396,623,792,1246}. It takes approximately 11 
minutes for each test in the above environment. Furthermore, we focus on 
the five-term F2-linear relation f fT6|) . The last row of Table [3] shows similar 
deviations of the birthday spacings tests for (N, n, d, t) = (5, 20000000, 2 21 , 3) 
and I = {0,792,1246}. 



Table 3: The p-values on the birthday spacings tests with selected lags / for MT19937. 





1st 


2nd 


3rd 


4th 


5th 


I = {0,396,623} 


1.7 x lO -16 


1.8 x 10~ 1S 


3.1 x 10~ 21 


8.5 x 10 -17 


1.4 x 10~ 21 


I = {0,396,623,792,1246} 


4.8 x 10~ 5 


0.01 


1.5 x 10" 4 


1.1 x 10" 4 


8.5 x 10" 4 


I = {0, 792, 1246} 


2.0 x 10" 4 


3.0 x 10~ 7 


3.9 x 10~ e 


9.2 x 10~ 5 


4.5 x 10 _e 



8. Some variants of Mersenne Twister generators 

We analyze other F 2 -linear generators whose periods are 2 19937 — 1 (he 



p = 19937 and w = 32). First, we investigate the WELL generators [34 
which are variants of Mersenne Twister and have almost optimal k(v) and N\. 
A key idea of the improvement is to construct a more complicated transition 
matrix A in ([6]) by using linear recurrences with a double loop, instead of 



that with a single loop ([I]) (see [36J for details). Panneton et al. [34j list 
the parameters of WELL generators WELL19937a, which has A = 4, and 
WELL19937c, which has A = (i.e., maximally equidistributed) by adding 
the Matsumoto-Kurita tempering [24l|. The author [3] also introduced more 
simplified temperings required to attain the maximal equidistribution. (We 
discovered a typo in Table 4 of [7j. The bitmask 4202000 should be corrected 
to 4202010.) All of the WELL generators have iVi = 8585 and iV„ > 9500 
(2 < v < 32), so that we have no low- weight minimal F 2 -linear relations. 
This implies that we have no suitable lags for which birthday spacings tests 
are rejected in (k(v) + l)-dimensional output values. In this respect, the 
WELL generators are much superior to MT19937. 

As another improvement, the author 0] constructed a maximally equidis- 
tributed Mersenne Twister MEMT19937 by replacing the tempering in (17j) 
and (jSJ) with a more complicated output transformation B, which consists 
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of a linear combination of some part of the state vector. However, the au- 
thor recently noted the following drawbacks: (i) MEMT19937 is sometimes 
slower than WEL19937a on some recent platforms; (ii) MEMT19937 has a 
small value N32 = 26. Again, we search for a better parameter set by using 
the PIS method jgj]. By trial-and-error, as well as in [7], we obtain a simple 
linear transformation: 



z 


«— 


mi, 




z 


«- 


z © 


(mi_603 & 53c45278 


z 


«- 


z © 


(z « 8), 


z 




z © 


(z < 14), 


z 




z © 


(z > 18), 


y, 


<(— 


z © 


(nij_5 4 & f ab7bl41 



where © denotes bitwise exclusive-or, & bitwise AND, (z <C si) the s x 
bit left-shift, (z > s 2 ) the s 2 bit right-shift, and 53c45278 and f ab7bl41 
are hexadecimal notations. We replace the tempering (j2J) with the above, 
and we then obtain a maximally equidistributed generator. We name this 
MEMT19937-II. MEMT19937-II has N± = 135 and N v > 9000 (2 < v < 32), 
namely, A^'s significantly increase. This generator passes the Big Crush suits 
in the TestUOl statistical test library, with the exception of two linear com- 
plexity tests (the test number 80 and 81), and these rejections are common 
among F2-linear generators, such as the Mersenne Twister and WELL gener- 
ators (see [HI]). Now, MEMT19937-II is available on the author's homepage 

9- 

Here, we measure the speed to generate 10 9 32-bit unsigned integers on 
two different 64-bit CPUs: Intel Core i7-3770 3.90 GHz and AMD Phenom 
II X6 1045T 2.70 GHz. We use the gcc compiler with a -03 optimization flag 
on a Linux operating systems. In comparison, we also conduct experiments 
with MT19937ar, Shawn Cokus' other implementation MT19937ar-cok (both 
are obtained from [23]), and WEL19937a. Table H] gives a summary of the 
CPU time (in seconds) and the total dimension defects A. MT19937ar-cok 
is the fastest, but the maximally equidistributed generator MEMT19937-II 
is comparable to MT19937ar on the two platforms. 

Finally, we conduct birthday spacings tests for non-successive output val- 
ues of MEMT19937-II. Table Ogives a summary of birthday spacings tests 
with the same parameter sets for three- and five-dimensional non-successive 
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Table 4: CPU time (sec) taken to generate 10 9 pseudorandom numbers and total dimension 
defects A. 





Intel Core i7 


AMD Phenom II 


A 


MT19937ar-cok 


3.126 


4.199 


6750 


MEMT19937-II 


4.348 


6.330 





MT19937ar 


4.771 


6.106 


6750 


WELL19937a 


4.953 


6.678 


4 



outputs in Section A simple improvement of B also increases N v 's, and 
deviations of tests are avoided. 



Table 5: The p- values of birthday spacings tests five times for MEMT19937-II . 





1st 


2nd 


3rd 


4th 


5th 


I = {0,396,623} 


0.60 


0.63 


0.95 


0.17 


0.36 


I = {0,396,623,792,1246} 


0.33 


0.57 


0.17 


0.10 


0.03 


I = {0,792,1246} 


0.93 


0.81 


0.09 


0.22 


0.98 



9. Conclusions 

We have discussed the relationship between F2-linear relations and the 
Couture-L'Ecuyer dual lattices, and have proposed the new figure of merit 
N v based on the minimum weight of F-linear relations for most significant v 
bits in (k(v) + l)-dimensional output vectors. We presented an algorithm for 
computing N v , and applied it to the Mersenne Twister MT19937. The results 
showed that MT19937 has low-weight F 2 -linear relations, and is rejected 
for birthday spacings tests with specific lags, and the reason appears to be 
the existence of such F2-linear relations. To avoid such phenomena, some 
improvements of Mersenne Twister generators were also discussed. 

The above result of MT19937 will not affect most Monte Carlo simulations 
because real simulations are not synchronized with bad lag sets /. However, 
in general, when strange phenomena occur in simulations, and when these 
are due to the regularity of pseudorandom number generators, it is signifi- 
cantly difficult for experimenters to determine the reason for occurrence of 
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the strange phenomena. Thus, when designing pseudorandom number gener- 
ators, it is important to perform assessments in as many situations as possible 
beforehand. In this respect, the Couture-L'Ecuyer lattices are powerful tools 
not only for computing k(v) but also for detecting hidden structural defects 
of F 2 -linear generators. 
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